Dezső BICZÓ
Dezső BICZÓ
As I said in https://github.com/cweagans/composer-patches/issues/347#issuecomment-1004603765 I am really happy that there is some movement around this topic, so thanks for this PR. What I like about this approach that it...
But `vendor/composer/installed.json` is not committed to VCS, so it is basically useless, the original behavior was better.
> composer install shows no error, no warning, therefore, makes me believe all the patches have correctly applied. Can you check if you have this configured on the project level?...
I wanted to open a new issue but I am glad that I am not the only one who finds "enable-patching" option is a slippery sloop and a possible security...
If you work for enterprise, it is also a regular security requirement that you only install external libs from signed sources. By using Packagist and Composer you get that. But...
First of all, I am thrilled that there is some movement on this topic :tada: How Composer Patches could be leveraged in supply chain attacks was one of those problems...
Post a long review on the solution implemented in #388 which may contains ideas how this can be solved differently, so I am leaving a reference here: https://github.com/cweagans/composer-patches/pull/388#issuecomment-1004777772
I totally share your enthusiasm on these topics, great additions! Although I feel that this on PR tries to introduce too many new concepts and features (patches ignore + patch...
I have two Twitter threads for you :) https://twitter.com/IEMIXER/status/1430504753805602820 TL;DR Consider sponsoring @cweagans https://twitter.com/IEMIXER/status/1430505791665188864 TL;DR Consider if patching is the right solution :) I have even mentioned this PR in...